Require additional authentication at startup
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on
At least Windows Server 2008 R2 or Windows 7

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

Internal name
ConfigureAdvancedStartup_Name
Policy ID
b0603941085a
Elements
5

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseAdvancedStartup
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseAdvancedStartup
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Configure TPM startup key:
ID ConfigureTPMStartupKeyUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMKey
Type
REG_DWORD
Options: Allow startup key with TPM (2), Require startup key with TPM (1), Do not allow startup key with TPM (0)
Computer
Configure TPM startup PIN:
ID ConfigurePINUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMPIN
Type
REG_DWORD
Options: Allow startup PIN with TPM (2), Require startup PIN with TPM (1), Do not allow startup PIN with TPM (0)
Computer
Configure TPM startup key and PIN:
ID ConfigureTPMPINKeyUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMKeyPIN
Type
REG_DWORD
Options: Allow startup key and PIN with TPM (2), Require startup key and PIN with TPM (1), Do not allow startup key and PIN with TPM (0)
Computer
Configure TPM startup:
ID ConfigureTPMUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPM
Type
REG_DWORD
Options: Allow TPM (2), Require TPM (1), Do not allow TPM (0)
Computer
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
ID ConfigureNonTPMStartupKeyUsage_Name
boolean
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
EnableBDEWithNoTPM
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Configure TPM startup key:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMKey
Type
REG_DWORD
Details
Options: Allow startup key with TPM (2), Require startup key with TPM (1), Do not allow startup key with TPM (0)
Configure TPM startup PIN:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMPIN
Type
REG_DWORD
Details
Options: Allow startup PIN with TPM (2), Require startup PIN with TPM (1), Do not allow startup PIN with TPM (0)
Configure TPM startup key and PIN:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPMKeyPIN
Type
REG_DWORD
Details
Options: Allow startup key and PIN with TPM (2), Require startup key and PIN with TPM (1), Do not allow startup key and PIN with TPM (0)
Configure TPM startup:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UseTPM
Type
REG_DWORD
Details
Options: Allow TPM (2), Require TPM (1), Do not allow TPM (0)
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
EnableBDEWithNoTPM
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0